forked from evolix/ansible-roles
evoacme :
- Don't generate dhparams (not evoacme role) - Generate ssl conf file for vhost
This commit is contained in:
parent
1f653b1fdc
commit
d3310007c3
|
@ -1,4 +1,4 @@
|
|||
# Evoacme 1.4
|
||||
# Evoacme 1.5
|
||||
|
||||
EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates.
|
||||
|
||||
|
@ -45,7 +45,7 @@ service nginx reload
|
|||
make-csr vhostname
|
||||
~~~
|
||||
|
||||
8 - Generate the certificate with evoacme
|
||||
5 - Generate the certificate with evoacme
|
||||
|
||||
~~~
|
||||
# evoacme look for /etc/ssl/requests/vhostname
|
||||
|
@ -53,6 +53,22 @@ make-csr vhostname
|
|||
evoacme vhostname
|
||||
~~~
|
||||
|
||||
6 - Include ssl configuration
|
||||
|
||||
Sll configuration has generated, you must include it in your vhost.
|
||||
|
||||
For Apache :
|
||||
|
||||
~~~
|
||||
Include /etc/apache2/ssl/vhost.conf
|
||||
~~~
|
||||
|
||||
For Nginx :
|
||||
|
||||
~~~
|
||||
include /etc/nginx/ssl/vhost.conf;
|
||||
~~~
|
||||
|
||||
# License
|
||||
|
||||
Evoacme is open source software licensed under the AGPLv3 License.
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
source /etc/default/evoacme
|
||||
[ -f /etc/default/evoacme ] && source /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
|
||||
vhost=$1
|
||||
|
||||
|
@ -27,42 +30,30 @@ rm -f $CRT_DIR/${vhost}.crt $CRT_DIR/${vhost}-fullchain.pem $CRT_DIR/${vhost}-ch
|
|||
sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}.crt --fullchain-path=$CRT_DIR/${vhost}-fullchain.pem --chain-path=$CRT_DIR/${vhost}-chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util)
|
||||
|
||||
if [ $? != 0 ]; then
|
||||
openssl x509 -req -sha256 -days 365 -in $CSR_DIR/${vhost}.csr -signkey $SSL_KEY_DIR/${vhost}.key -out $CRT_DIR/${vhost}-fullchain.pem
|
||||
if [ -d /etc/apache2 ]; then
|
||||
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf
|
||||
fi
|
||||
if [ -d /etc/nginx ]; then
|
||||
sed -i "s~^ssl_certificate[^_]*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
|
||||
which apache2ctl>/dev/null
|
||||
if [ $? == 0 ]; then
|
||||
apache2ctl -t 2>/dev/null
|
||||
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}-fullchain.pem~" /etc/apache2/ssl/${vhost}.conf
|
||||
apache2ctl -t 2>/dev/null
|
||||
if [ $? == 0 ]; then
|
||||
service apache2 reload
|
||||
fi
|
||||
fi
|
||||
which nginx>/dev/null
|
||||
if [ $? == 0 ]; then
|
||||
sed -i "s~^ssl_certificate[^_]*$~ssl_certificate $CRT_DIR/${vhost}-fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf
|
||||
nginx -t 2>/dev/null
|
||||
if [ $? == 0 ]; then
|
||||
service nginx reload
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$renew" ]; then
|
||||
|
||||
cat <<EOF
|
||||
|
||||
- Nginx configuration :
|
||||
|
||||
ssl_certificate $CRT_DIR/${vhost}-fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/private/${vhost}.key;
|
||||
|
||||
- Apache configuration :
|
||||
|
||||
SSLEngine On
|
||||
SSLCertificateFile $CRT_DIR/${vhost}-fullchain.pem
|
||||
SSLCertificateKeyFile /etc/ssl/private/${vhost}.key
|
||||
|
||||
EOF
|
||||
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -f /etc/default/evoacme ]; then
|
||||
source /etc/default/evoacme
|
||||
fi
|
||||
[ -f /etc/default/evoacme ] && source /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
|
@ -65,7 +63,6 @@ done
|
|||
if [ $nb -eq 0 ]; then
|
||||
nb=`echo $domains|wc -l`
|
||||
echo "No valid domains : $domains" >&2
|
||||
exit 1
|
||||
else
|
||||
domains=$valid_domains
|
||||
fi
|
||||
|
@ -92,3 +89,24 @@ if [ -f $CSR_DIR/${vhost}.csr ]; then
|
|||
chmod 644 $SELF_SIGNED_DIR/${vhost}.pem
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -d /etc/apache2 ]; then
|
||||
mkdir -p /etc/apache2/ssl
|
||||
if [ ! -f /etc/apache2/ssl/${vhost}.conf ]; then
|
||||
cat > /etc/apache2/ssl/${vhost}.conf <<EOF
|
||||
SSLEngine On
|
||||
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
|
||||
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -d /etc/nginx ]; then
|
||||
mkdir -p /etc/nginx/ssl
|
||||
if [ ! -f /etc/nginx/ssl/${vhost}.conf ]; then
|
||||
cat > /etc/nginx/ssl/${vhost}.conf <<EOF
|
||||
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
|
||||
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
- name: Generate DH paramaters
|
||||
command: openssl dhparam -rand - {{ evoacme_dhparam_size }} -out /etc/ssl/dhparam.pem
|
||||
args:
|
||||
creates: /etc/ssl/dhparam.pem
|
|
@ -14,6 +14,3 @@
|
|||
|
||||
- include: tasks/nginx.yml
|
||||
when: stn.stat.isreg is defined and stn.stat.isreg
|
||||
|
||||
- include: tasks/dhparam.yml
|
||||
when: stn.stat.isreg is defined and stn.stat.isreg
|
||||
|
|
Loading…
Reference in a new issue